Dlazy Search Audio

Security checks across malware telemetry and agentic risk

Overview

This is a documented dLazy CLI wrapper for searching audio, with disclosed API-key use and remote dLazy processing, though its Pixabay wording and install version notes could be clearer.

Install only if you are comfortable using dLazy’s CLI and sending search queries, parameters, and any provided media inputs to dLazy services. Prefer the npx form or a reviewed pinned CLI version if you do not want a persistent global install, and treat the stored dLazy API key like any other credential.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The skill markets itself as a Pixabay Music search tool, but the document later states that prompts and parameters are sent to dLazy-hosted APIs for inference and media handling. This mismatch can mislead users about what service is actually processing their data, causing unintended disclosure of prompts, local file paths, or uploaded media to a third-party SaaS.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal